Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 436234 (CVE-2012-2859) - <www-client/chromium-22.0.1229.79 multiple vulnerabilities (CVE-2012-{2859,2860,2874,2876,2877,2878,2879,2880,2881,2882,2883,2884,2885,2886,2887,2888,2889,2891,2892,2894,2896})
Summary: <www-client/chromium-22.0.1229.79 multiple vulnerabilities (CVE-2012-{2859,28...
Status: RESOLVED FIXED
Alias: CVE-2012-2859
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://googlechromereleases.blogspot....
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-25 18:16 UTC by Mike Gilbert
Modified: 2012-10-21 15:43 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Gilbert gentoo-dev 2012-09-25 18:16:35 UTC
Lots of bug fixes; see release notes in URL.
Comment 1 Mike Gilbert gentoo-dev 2012-09-25 20:09:31 UTC
Please stabilize.

=dev-lang/nacl-toolchain-newlib-0_p9093
=dev-lang/v8-3.12.19.11
=www-client/chromium-22.0.1229.79
Comment 2 Agostino Sarubbo gentoo-dev 2012-09-26 10:16:01 UTC
amd64 stable
Comment 3 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-09-26 10:32:25 UTC
CVE-2012-2893 is a vulnerability in libxslt and is handled separately in bug #436284
Comment 4 Agostino Sarubbo gentoo-dev 2012-09-26 10:52:36 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2012-09-26 10:57:16 UTC
Removed old. Please go ahead with the glsa
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-09-30 20:17:18 UTC
CVE-2012-2896 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2896):
  Integer overflow in the WebGL implementation in Google Chrome before
  22.0.1229.79 on Mac OS X allows remote attackers to cause a denial of
  service or possibly have unspecified other impact via unknown vectors.

CVE-2012-2894 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2894):
  Google Chrome before 22.0.1229.79 does not properly handle graphics-context
  data structures, which allows remote attackers to cause a denial of service
  (application crash) or possibly have unspecified other impact via unknown
  vectors.

CVE-2012-2892 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2892):
  Unspecified vulnerability in Google Chrome before 22.0.1229.79 allows remote
  attackers to bypass the pop-up blocker via unknown vectors.

CVE-2012-2891 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2891):
  The IPC implementation in Google Chrome before 22.0.1229.79 allows attackers
  to obtain potentially sensitive information about memory addresses via
  unspecified vectors.

CVE-2012-2889 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2889):
  Cross-site scripting (XSS) vulnerability in Google Chrome before
  22.0.1229.79 allows remote attackers to inject arbitrary web script or HTML
  via vectors involving frames, aka "Universal XSS (UXSS)."

CVE-2012-2888 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2888):
  Use-after-free vulnerability in Google Chrome before 22.0.1229.79 allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via vectors involving SVG text references.

CVE-2012-2887 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2887):
  Use-after-free vulnerability in Google Chrome before 22.0.1229.79 allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via vectors involving onclick events.

CVE-2012-2886 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2886):
  Cross-site scripting (XSS) vulnerability in Google Chrome before
  22.0.1229.79 allows remote attackers to inject arbitrary web script or HTML
  via vectors related to the Google V8 bindings, aka "Universal XSS (UXSS)."

CVE-2012-2885 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2885):
  Double free vulnerability in Google Chrome before 22.0.1229.79 allows remote
  attackers to cause a denial of service or possibly have unspecified other
  impact via vectors related to application exit.

CVE-2012-2884 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2884):
  Skia, as used in Google Chrome before 22.0.1229.79, allows remote attackers
  to cause a denial of service (out-of-bounds read) via unspecified vectors.

CVE-2012-2883 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2883):
  Skia, as used in Google Chrome before 22.0.1229.79, allows remote attackers
  to cause a denial of service or possibly have unspecified other impact via
  vectors that trigger an out-of-bounds write operation, a different
  vulnerability than CVE-2012-2874.

CVE-2012-2882 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2882):
  FFmpeg, as used in Google Chrome before 22.0.1229.79, does not properly
  handle OGG containers, which allows remote attackers to cause a denial of
  service or possibly have unspecified other impact via unknown vectors,
  related to a "wild pointer" issue.

CVE-2012-2881 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2881):
  Google Chrome before 22.0.1229.79 does not properly handle plug-ins, which
  allows remote attackers to cause a denial of service (DOM tree corruption)
  or possibly have unspecified other impact via unknown vectors.

CVE-2012-2880 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2880):
  Race condition in Google Chrome before 22.0.1229.79 allows remote attackers
  to cause a denial of service or possibly have unspecified other impact via
  vectors related to the plug-in paint buffer.

CVE-2012-2879 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2879):
  Google Chrome before 22.0.1229.79 allows remote attackers to cause a denial
  of service (DOM topology corruption) via a crafted document.

CVE-2012-2878 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2878):
  Use-after-free vulnerability in Google Chrome before 22.0.1229.79 allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via vectors related to plug-in handling.

CVE-2012-2877 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2877):
  The extension system in Google Chrome before 22.0.1229.79 does not properly
  handle modal dialogs, which allows remote attackers to cause a denial of
  service (application crash) via unspecified vectors.

CVE-2012-2876 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2876):
  Buffer overflow in the SSE2 optimization functionality in Google Chrome
  before 22.0.1229.79 allows remote attackers to cause a denial of service or
  possibly have unspecified other impact via unknown vectors.

CVE-2012-2874 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2874):
  Skia, as used in Google Chrome before 22.0.1229.79, allows remote attackers
  to cause a denial of service or possibly have unspecified other impact via
  vectors that trigger an out-of-bounds write operation, a different
  vulnerability than CVE-2012-2883.
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2012-10-01 09:16:26 UTC
GLSA draft ready for review.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-10-21 15:43:33 UTC
This issue was resolved and addressed in
 GLSA 201210-07 at http://security.gentoo.org/glsa/glsa-201210-07.xml
by GLSA coordinator Sean Amoss (ackle).